Open In App

Zone-based firewall Configuration

Last Updated : 10 Jun, 2022
Like Article

Prerequisite – Zone-based firewall Zone-based firewall is an advanced method of stateful firewall. In stateful firewall, an entry containing source IP address, destination IP address, source Port number and destination Port number, is maintained for the traffic generated by the trusted (private) network in the stateful database. This will only the traffic including the replies for the private (trusted) network using the stateful database. Zone-based Firewall procedure:

  1. Create zones and assign an interface to it – In Zone-based firewall, logical zones are created. A zone is assigned to an interface. By default, traffic from one zone to another is not allowed.
  2. Create class-map – After creating a zone, a class-map policy is made which will identify the type of traffic, like ICMP, on which the policies will be applied.
  3. Create policy-map and assign class-map to the policy-map – After identifying the type of traffic in class-map, we have to define what action must be taken on the traffic. The action can be:
    • Inspect: It is same as inspection of CBAC i.e only that traffic will be allowed from the outside network which will be inspected (return traffic of inside (trusted) network.
    • Drop: This is the default action for all traffic. The class-map configured in a policy map can be configured to drop unwanted traffic.
    • Pass: This will allow the traffic from one zone to another. Unlike inspect action, it will not create a session state for a traffic. If we want to allow traffic from the opposite direction, corresponding policy should be created.
  4. Configure a zone-pair and assign the policy – A zone-pair is configured for one direction only. Policies are defined in which traffic is identified (what type of traffic) then what action should be taken (Inspect Denied, permit). Then we have to apply this policies to a zone-pair.

Configuration: As shown in the figure, 4 routers are connected with each other namely Router1 having ip address on its fa0/0 interface, Router2 having IP address on its fa0/0 on its fa0/1 interface and on its fa1/0 interface, Router3 having IP address on its fa0/1 interface and Router4 has on its fa0/1 interface. First we have to perform routing so that the routers are reachable to each other. Configuring RIP on Router2:

Router2(config)#router rip
Router2(config-router)#no auto-summary

Now, giving default route on Router1:

Router1(config)#ip route 

Giving default route on Router2

Router3(config)#ip route

Giving default route on Router4

Router4(config)#ip route

Now, we have to redistribute default routes in RIP:

Router2(config)#router rip
Router2(config-router)#default-information originate 

These routers will be able to ping each other. Now, configure Zone-based firewall. In this scenario, we will allow only ICMP traffic and telnet traffic from inside zone to outside zone. To achieve this task, following steps will be taken:

  • Create zones and assign interfaces to zone – First, we have to configure a name for zone and then apply it to the interface (here, Router2). Configuring the zones and name them as inside, outside and dmz.
Router2(config)#zone security inside
Router2(config)#zone security outside 
Router2(config)#zone security dmz 

Now, applying zones to the interfaces.

Router2(config)#interface fa0/0
Router2(config-if)#zone-member security inside
Router2(config)#interface fa0/1
Router2(config-if)#zone-member security outside
Router2(config)#interface fa1/0
Router2(config-if)#zone-member security dmz

After applying zones to the interface, the routers will not be able to ping each other as by default, traffic from one zone to another will be drop (as per default policy).

  • Create a class-map – Class-map will be created to identify the type of traffic in which we want to perform the operation. Configuring class-map stating the type of traffic on which inspection will be performed.
Router2(config)#class-map type inspect match-any in-out
Router2(config-cmap)#match protocol icmp
Router2(config-cmap)#match protocol telnet

match-any means any of the statement matches in the class-map i.e either for telnet or ICMP. We have given name in-out to the class-map.

  • Create policy-map and apply class-map to the policy-map – Policy-map will be configured to mention what operation (inspect, drop or pass) will be performed. In our scenario, we will use inspect i.e only that traffic will enter from outside to inside zone if it has an entry in stateful database (replies of traffic initiated in inside zone).
Router2(config)#policy-map type inspect in-out
Router2(config-pmap)#class in-out

Here, we have configured a policy-map named input an assign class-map (named in-out) to it and action that will be taken is inspect. Here, we have taken same name of class-map and policy-map. Different names can be taken but then it will be complicated.

  • Create zone-pair and apply policy-map to the zone-pair – Create zone pair specifying the source and the destination zone and apply the policy-map to the zone-pair.
Router2(config)#zone-pair security in-outpair source inside destination outside
Router2(config-sec-zone-pair)#service-policy type inspect in-out

Here, in the first command, notice that in-outpair is the name for zone-pair in which inside zone will be the source and outside zone will be the destination. It means a zone-pair has been defined in direction from inside zone to outside zone. In the second command, in-out is the name of policy-map. Now, the inside zone will  be to ping and telnet the outside zone devices but for vice-versa we have to define separate zone-pair. Also, note that inside zone devices will be able to reach outside zone devices but not DMZ zone because no zone-pair has been defined for it.

Like Article
Suggest improvement
Share your thoughts in the comments

Similar Reads